Equifax has released information and confirmed the vulnerability (CVE-2017-5638) that was used in this breach after several days of intense scrutiny around Apache Struts. To make matters worse, there already was a patch available for this flaw in March 2017, two months prior to the incident.
1) Updated information on U.S. website application vulnerability. Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
Equifax’s efforts in response to this incident can be followed at www.equifaxsecurity2017.com, but the site has been called “completely broken at best, and little more than a stalling tactic or sham at worst.” And isn’t working for many people. So, we leave it up to your best judgment whether you should pay that site a visit .
Over 30 lawsuits have been filed against Equifax following the breach according to Reuters.
Quartz reported that the vulnerability they mentioned was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. The vulnerability announced on Sept. 4 has existed in Struts since 2008.
Apache responded to that report with this Apache Struts Statement on Equifax Security Breach.
On July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax’s overall security posture.
According to Equifax, online criminals maintained their presence from mid-May through July 2017 and had access to:
- Social Security numbers
- Birth dates
- Driver’s license numbers (in some cases)
- Credit card numbers (for approx. 209,000 U.S. consumers)
It also said that some personal information for certain UK and Canadian residents was part of this breach.
This is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.
Equifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to equifaxsecurity2017.com, a website Equifax has just set up.